Security Holes in CVS and Subversion Found

joe_bruin writes "News.com.com is reporting a two separate vulnerabilities that affect current versions of CVS and Subversion source control systems. Apparently, major users of these products (Linux and BSD distros, Samba, etc.) have been notified and have patched their systems." Update: 05/20 02:01 GMT by S : Clarification that there are separate issues for both CVS and Subversion.

Sourceforge...

[Samah]

...had better get proactive :)
God knows it took them ages to get their CVS server problems resolved a few years back.

*points /. to help out its fellow OSDN member*

Re:Sourceforge...

[nacturation]

If they don't fix it in time, does this mean they'll be changing their name to Sourceforget?

Re:Sourceforge...

[jpetts]

If they don't fix it in time, does this mean they'll be changing their name to Sourceforget?

No, it means they'll be changing their name to ForgeSource

Re:Sourceforge...

[linzeal]

No it means they will have things like this coming up.

h4(|{3Ð b $n00p, 94nÐ4 4nÐ r3Ð 7h3 q33r. 0v3 0 m4m4 0n9 71m3!

Re:Sourceforge...

[Bingo+Foo]

SCO wants their name changed to Sourceforgery.

Re:Sourceforge...

[PotPieMan]

Well, as far as I know, SourceForge uses pserver only for anonymous CVS access. Presumably, the anonymous CVS uses a read-only filesystem. If someone were to exploit this vulnerability, it would probably be pretty difficult for them to cause any problems.

Developers have access over SSH, and hopefully only have access to their project. There are obviously some concerns with malicious developers or people breaking into a developer's account, but the chances are pretty slim.

I don't think this was mentioned anywhere else, but the original annoucement includes a note about SourceForge finding a problem with the security patch breaking compatibility with some versions of WinCVS and TortoiseCVS.

Re:Sourceforge...

[Geekenstein]

No, if they don't fix it in time, *I'LL* change their name for them. *EEEEVVVILLLL*

Re:Sourceforge...

[Bill+Currie]

Anonymous cvs requires write access to the tree for the lock files. Annoying but true.

Re:Sourceforge...

[Chainsaw]

Actually, you can make a separate tree for the lock files. Not that hard, just check out the administrative CVSROOT directory and examine the config file (if I remember correctly). It's there in someone of the files.

Who ever said only closed source was vunrable?

[Marxist+Hacker+42]

Man- I used CVS in a project just last year. Sure hope Olivetree has patched their server.

Re:Who ever said only closed source was vunrable?

[tolan-b]

Who ever said only closed source was vunrable?

Er.. I don't think I've heard anyone except shouty 12 year olds with no clue say that.

Thankfully, I use Visual Source Safe

If you compromise it, it's so broken you can't even use it to control source.

Just goes to show...

[georgewilliamherbert]

No amount of code review, open source or proprietary, can guarantee that there isn't some lurking bug in the application. We have probably not yet found all the ways there can be security holes, much less all the actual holes in any given thing.

Developers and admins have to keep security aware constantly, which is one of the hardest problems in real production environments.

Re:Just goes to show...

[cduffy]

AFAIK is the only language that automatically does bounds checking

Not by a long shot.

Python, most Scheme implementations, Haskel, ADA, and many, many languages provide similar safety features.

As you say, though, pity they're not more often used.

Re:Just goes to show...

[The+Bungi]

I'll post something along these lines in the next Microsoft vulnerability article and we'll see if I get modded +5 with alacrity.

Re:Just goes to show...

[Minna+Kirai]

In the current climate, it is just plain foolish to use a language without bounds checking in a security critical capacity.

Ironically, CVS was originally a Perl program until a C version was needed to make it real software.

Re:Just goes to show...

[bladernr]

No amount of code review, open source or proprietary, can guarantee that there isn't some lurking bug in the application.

I've been thinking through the dynamics of OSS. For a moment, let's forget Linux, Apache, FreeBSD and the four or five other "big guys" out there (the reason: they seem to be managed much like commercial software, in a hierarchial, closed-group fashion, just without the keeping the code a secret part).

For the vast majority of little OSS that is in so many systems, large and small, is there really any empirical proof that OSS is more secure than proprietary software? I've been wondering if it isn't possible that its even less secure.

The reason is the dynamics of programmer laziness (and I'm a programmer myself.... I know all about it). Combing through code looking for buffer overflows is tedious and repetative. How many programmers really do it all the time, every time?

I also understand the "millions of eyeballs" argument, but doesn't that really apply again to the "big guys." Does anyone really believe that literally millions of people have done detailed reviews of the myriad small programs and libraries present on a typical open source operating system?

I don't know, perhaps I'm wrong, but I'm wondering if there may not be a group-think problem here. I don't look at those tools, because everyone else is, and I'm lazy. I may poke through kernel source because it interests me, but TinyXML source does not. In a commercial environment, I make developers do it, but, except on the few big OSSes that are run basically like commerical operations, how are we really sure it is more, and not less, secure?

Re:Just goes to show...

[harikiri]

Aren't most of the scripting languages (perl, python, ruby, tcl) secure against standard buffer overflow attacks?

Considering the speed improvements in both the interpreters for these languages, and general processors, I'm suprised more network services (smtp, web, ftp) aren't being written either entirely in these languages, or with a mixture of scripting and native C modules for the areas that need better performance.

There's a few examples that I've seen out there that already do this, like Zope and Aolserver (i think). Of course, this approach may only eliminate one type of vulnerability, and still leaves other things like these that appeared for Zope at the beginning of the year.

Re:Just goes to show...

[bluGill]

In every commercial software house I've been in the source has been available for my review, but I wasn't given time to do it, nor was anyone else. In fact while I was allowed to read other's code, I was rarely allowed to change it, and I wasn't encouraged to suggest changes.

In open source I've read a lot of code, not just for fun, but because I'm not limited in the code I can change so I tend to change code in larger parts. That means I have to understand larger parts.

Now I'm not smart enough to have found a security flaw (yet?), but I have at least read it. Despite working 40 hours programing for years, I've found more opportunity to read other code in the open source movement. I've read some kernel code (didn't understand it), and a lot of KDE code (resulted in a few patches). I've also read code for a few other systems, but didn't get around to doing anything.

Re:Just goes to show...

[Zancarius]

In a commercial environment, I make developers do it, but, except on the few big OSSes that are run basically like commerical operations, how are we really sure it is more, and not less, secure?

While you may be correct -- Open Source may very well be riddled with just as many bugs -- the argument shouldn't be focused on which is more secure but rather on which is more fixable. Open Source is rendered a benefit that closed source lacks: the ability to fix the source yourself. Compare the security flaws released in the last six months on sites like CERT--generally, Open Source outfits release patches much sooner than commercial counterparts. Sure, this doesn't always hold true, but Open Source grants yet another benefit: Users of Open Source are, IMO, more aware of the implications and importance of security and are thus more proactive when an exploit is discovered.

And, again, I can't stress the "fix it yourself" argument enough!

Re:Just goes to show...

[clandestine_nova]

I actually did a small report on OSS a little while back; I'm about to fix it up for my good copy. Needless to say it's terribly written, and mostly based upon my own knowledge. However, I did come across a few of the problems you're describing.

You're right that the main problem with the "millions of reviewers" argument is that there is some question as to whether this review even happens; I personally hate reviewing my code. OSS, as it is, is either developed as a commercial product, and thus security is essential, or it is developed small-scale, where security is a very miniscule issue in comparison.

Logically, it makes sense that the more popular a piece of software is, the more it gets used and the source browsed. As well, the bugs that do get found can be fixed much faster than their commercial counterparts.

Although I've yet to see whether that argument is really true, it sounds logical to me.

Re:Just goes to show...

Yes we are lazy and many of us want to have our name in the contributers list. That is the biggest reason for contributing to the code.
Debugging code is the quickest and easiest way into the contributers list.

Also when a project enters "frease" it's the ONLY way to get on the contributers list.

Having said that. The only real way to make sure the code is bug free is to make it really small.

The less code you have to manage the easier it is to see the bugs.

But you'll never make a powerful operating system in 10 lines or less.

Re:Just goes to show...

[darnok]

I think you raise a really good point - hope you don't get modded down and people miss it...

I think a sizeable number of people read through source code as a way of educating themselves. OSS code is (as you point out, rightly or wrongly) seen as a source of very well-written code, and if I was going to teach myself something from someone else's source code, I'd be inclined to use OSS code as a starting point.

As these people educating themselves start to learn about what e.g. a buffer overflow is, what it looks like and how to avoid it, they'll think back to the OSS code they've read through and either mentally congratulate the author or possibly notify him/her to say their code has a security hole in it. I'm not sure: OSS code may even be used as a teaching tool in universities, in which case there will be lots of reviewers.

This reviewing-as-you're-learning approach would probably only apply to big OSS projects such as Apache or the Linux kernel I can't imagine a lot of people are suddenly going to start teaching themselves about buffer overflows using e.g. the Ethereal source. However, it's projects such as Apache and Linux that would be most at risk from buffer overflows; a buffer overflow in Ethereal, while it may be important, isn't likely to lead to lots of exploits in the real world.

Good point though - I'll be interested in what other replies you get

Re:Just goes to show...

[Anthony+Boyd]

I also understand the "millions of eyeballs" argument, but doesn't that really apply again to the "big guys." Does anyone really believe that literally millions of people have done detailed reviews of the myriad small programs and libraries present on a typical open source operating system?

I have two software products, very small, that I've put out into the wild. I licensed them under BSD, so it's open source. My program PHPortfolio had a weakness in version 1.0. It only worked if installed at the top-level of a Web server. The first few people who installed my software coded up patches for themselves, and sent bug reports to me. In a later version, the thumbnailing feature was poorly done, and someone "donated" a few lines of code to improve it. So yes, the "eyeballs" argument seems to work even for small projects. Although they didn't give me their patches in every case (which is OK by the BSD license), they did give me bug reports.

I also have a program called phpBB Blog which, if you look in my forums, has a 1.0 beta out. A handful of people have downloaded it, but I've had no bug reports & no patches so far. In this case, it looks like the extra eyeballs (and there are a few) are not doing me much good. Or else the code is solid, which I doubt. :)

In any case, I think the open source model does work on a small level for small projects and it works on a big level for big projects. I suspect the only place it would fall apart is trying to tackle a big project with only a small base of support/fans. Having only a very few eyeballs scanning over a huge codebase doesn't sound like it can ensure high quality in the majority of such cases. That might need some cathedral-style development.

Re:Just goes to show...

[boots@work]

Systems which are more fixable, or more quickly fixed (which is slightly different) present a real-world advantage.

Discovery of a vulnerability in say CVS or IIS does not mean every installation in the world will be compromised immediately. It means that the clock starts ticking. If a fix is released and applied more quickly, then there is less risk that any given machine will be compromised. Look at Schneier's "exposure envelope" model.

Historically open source has done reasonably well, though not perfectly, at releasing fixes very soon after vulnerabilities become known to the author. Open source projects tend to also be more responsive to reports, which encourages security reporters to do the right thing and report to the authors, knowing that they will get a quick response and proper credit.

There are many reports of proprietary companies sitting on vulnerabilities for more than a year. I have seen Microsoft sit on one for a couple of months. That is an enormous exposure. Being able to fix it yourself may be cold comfort but it's better than having your machines rooted.

Re:Just goes to show...

[boots@work]

More on this:

Why would companies react slowly? They ought to have all the capabilities of free projects, plus money. How is it possible that they perform worse?

I don't know, but I have some theories:

- Companies tend to grow bureaucracy, which prevents fast action. Open source developers can just commit the change and be done.

- Companies don't like to admit they had mistakes.

- Vulnerability reports in open source are more likely to point out where the problem is, which makes it easier to fix.

- Open source projects can draw on a lot of highly-qualified resources in the community for advice.

Re:Just goes to show...

[aardvarkjoe]

I've been wondering if it isn't possible that its even less secure.

Of course not! There are thousands of slashdot posts asserting that it's not true. If that doesn't constitute proof, I don't know what does.

Re:Just goes to show...

[JamieF]

>Why more programs aren't written in it is beyond me.

Lots and lots of programs are written in Java. The OSS community hasn't embraced Java, though, because it's not open-source.

Java also doesn't satisfy the "Lookie I can run stuff on my 486!" fetish quite as well as C does.

Based on what I've read about Perl 6 and Mono, I would say that Sun has a limited amount of time to open-source Java before the window of adoption closes as far as the open-source crowd is concerned. Obviously the tools and infrastructure stuff will have to catch up (since Java development tools and app servers etc. are generally fantastic) but I doubt that Java could last forever as an open-source product if IBM or someone of their stature started to support one of those other languages.

(Yes, I know Mono is not a language.)

Second Level security?

[Manip]

Why don't highly important OSS projects use second level protection, like only allowing X user to modify files N Y P at a file system level? If such measures where taken the worst that could happen is a DOS attack.
This also helps to sell managed code for mission critical systems.

Re:Second Level security?

[CajunArson]

I think SELinux could help here, but while I think SELinux is the best thing since sliced bread, it is still non-trivial to setup and configure and this has been one of its major stumbling blocks to widespread acceptance. The newer mandatory access control systems need to be simple enough for the average administrator to tackle.

Re:Second Level security?

[Delirium+21]

Why don't highly important OSS projects use second level protection, like only allowing X user to modify files N Y P at a file system level?

The reason is simple. If a program is to allow any users (say, only those who are authorized to modify certain files), the program itself must have adequate permissions to modify those files. If they are system files, the program must be suid root.

Heap and buffer overflow attacks--like the sort discovered in CVS--allow unprivileged users to execute arbitrary code with the permissions of the program. Since the program itself has been hijacked, it bypasses exactly the sort of second-level protection you suggest.

Sandboxing techniques aim to counteract this by running the program in a "protected" environment, thus externalizing these kinds of checks you suggest. However, much research has shown that sandboxes themselves can be vulnerable, incomplete (think race conditions), and so on.

Security is a hard problem, and even common attack techniques are, from an algorithmic perspective, highly subtle. Simple answers often do not work.

Re:Second Level security?

[jonastullus]

because the whole idea of the "bazaar model" is to allow anyone to contribute. if your restrictions on who is allowed to do what are too stringent, interest on the part of possible developers dwindles and you'll have to all the work by yourself *g*.

apart from that, many high-profile OSS project use such an approach that only senior developers (i.e. those who have proven themselves reliable in the past) are allowed write access to the repositories. the most obvious case being the linux kernel itself, where most (if not all) patches go through the top level maintainers.

but instead of just restricting write access (which as i pointed out above can be a hinderance to OSS projects) you can introduce a slashdot-karma-like moderation that ensures that any added code was reviewed by another developer before it is "submitted" into the real repository.

anyway, by what criterium would you give out privileges to single users and restricted file sets?
managing huge OSS project is an unbelievably complex task and so far, most of the projects have proven to be pretty responsive towards security issues. but successful intrusions at debian, gnu, etc have shown that one definite draw-back of a completely open community is the risk of shipping planted, evil code!

well, time for my daily code-review ;-)

Re:Second Level security?

[Minna+Kirai]

Since the program itself has been hijacked, it bypasses exactly the sort of second-level protection you suggest.

But CVS and Subversion have no need to write to a "system" file, so this protection can work fine. And indeed, every serious CVS server admin has done something like this.

(Much more important, of course, is that CVS- or any important server- be run behind a separate, simpler server handling authentication. Usually ssh)

However, much research has shown that sandboxes themselves can be vulnerable, incomplete (think race conditions), and so on.

I don't really believe that- if the sanbox boundaries are sufficiently simple, verification is managable- but it's irrelevant anyway.

A CVS server will normally only have write permission to the files making up the source code repository. A correct sandbox would give no more protection than simple file ownership (which still allows exploits if a buffer overflow occurs- if a user could insert malicious code into the source without producing the normal check-in message, she can do much mischief to all the other developers)

Re:Second Level security?

[Minna+Kirai]

It seems that you are writing entirely from your imagination. Either you don't know how real OSS projects work, or you misread the parent post to think it suggested a drastic change to development methods.

because the whole idea of the "bazaar model" is to allow anyone to contribute

Almost no Open Source developer allows relative strangers write-access to a CVS repository. In reality, "bazaar" development allows anyone to create changes, but it's still up to the original author (or her trusted friends, or a declared maintainer) to actually add them to the codebase. (If they refuse, then somebody can decide to fork a new project containing the desired change)

Observe how Linux works: millions of people can create changes, which they can send to one of 20 people for possible inclusion. If approved, then the patch is sent onward to the single person maintaining that kernel release (Linus, Marcello, or someone like that).

That's why it has been broadly noted that CVS is sub-optimal for managing large Free/Open projects. The one master server is too much of a bottleneck/vulnerability. Competitors like BitKeeper have arisen to try making the management of source code as distributed as writing it.

(Amusingly, BitKeeper supports OSS style development but is not itself open source)

Re:Second Level security?

[wasabii]

Additionally, why does CVS or SVN need access to WRITE to the files at all? At least the anonymous portion. For non-anonymous access, the problem goes down to how Unix programs operate. Two choices can be made: 1) the program suids to the user requesting access 2) the program does the action on behalf of the user, weither he has a local account or not.

2 should never happen. It is insecure by design.

1 is preferable. Access happens as those needing access, system level. 1 however, for traditional Unix, requires the process to have root access to suid. This is unacceptable. Windows NT programs do not need Administrator access to conduct operations on behalf of a user, they just need that user's crediantials, which are passed to a trusted subsystem, and that subsystem grants the system the permissions neccassary. The OS doensn't trust the software. (I am in no way saying that Windows is "more secure", im just saying that in this particular example, it has the potential to be more secure, cleaner, and easier.)

What Unix really needs is a new way to suid. I would say it would work like this: The program passes the username/password the user sent to another component, which is out of process. Such as a daemon, or maybe kernel level. That other process uses the local system configuration to make a determination weither or not the CVS daemon should be able to conduct operations on the user's behalf, and grants only those permissions needed to a certain context, even involving a time frame if neccassary. The program does the actions, and then "releases" the access.

That's how It Should Be.

Re:Second Level security?

[Minna+Kirai]

Seriously, your solution to the problem makes the source closed to the world and only open to input from 'trusted' people. Managing the list of trusted people would be a huge job on a large project where a million code monkeys are contributing.

Oh my! Here's another poster with no idea how OSS actually works.

Guess what: there really IS a small list of trusted people, and somebody works manage which of the million possible helpers deserves to

Handling "millions" is actually a simple problem for a computer programmer. Any good coder is familiar with binary tree division, which allows you to handle lists of any size with just a few (max ~7) layers of hierarchal control.

If you want to restrict contributions to people you really trust then don't put your CVS repository on a public server.

Try this: go over to sourceforge.net, pick a random project, and add a file into the CVS tree. Good luck, you'll need it. The only way you can contribute is to convince a live human project-member that your code is worthwhile.

Re:Second Level security?

[Rick+and+Roll]

Security is a hard problem

P class or NP class?

Re:Second Level security?

[Gilk180]

The most obvious reason for subversion repos is that subversion uses a small number of berkeley db files for the entire repository, so filesystem level controls may apply to the entire repository, but not individual files.

With cvs, this is possible if the filesystem uses acl's. If not, there are only the standard user, group and other categories, so there are only 3 possible access levels. Additionally, when a new file is created, the admin will have to set the permissions on these.

I believe it would be nice to build this into the control system so that a user could specify the privileges for each added file, but that would probably require the system itself to be suid to either root or some repository-specific user, which would make exploits possibly more dangerous.

Re:Second Level security?

[mec]

That's right. In November 2003, there was an unsuccessful Trojan-CVS attack on the Linux kernel.

Linux kernel development process thwarts subversion attempt

The attack failed because, basically, the CVS repositories for the linux kernel are not the real source trees -- they are just mirrors of people's bitkeeper trees.

And here is a Trojan FTP attack. Of course CVS and FTP are different protocols, but the idea is similar -- inject malware into the OSS development stream.

Great!

[Psychor]

Great, I'll grab it just as soon as the source for the patch goes into CVS! Oh wait...

Re:Great!

[bladernr]

CVS: Putting the "Open" back in "Open Source Software"

open source databases??

Flaws drill holes in open-source databases

Geez, this is why open source needs a frickin' PR department. These flaws DRILL HOLES!!! Into Open source DATABASES!! OMGLOLWTF??!111

CVS and its pudgy cousin Subversion are not databases. They may use the *concept* of a database *internally*, but then again so do iTunes and Emacs and probably a bunch of other programs.

Does CNET not understand the concept of a version control system? Hint: only people who know what they are use them in the first place.

Regardless, I only use these things via SSH, and have never recommended running CVS with pserver or Subversion via Apache or its server, except on a well-firewalled LAN. I think that's the common practice anyway.

Pretty good rule of thumb: if you can run the service over an SSH tunnel, DO IT! Don't assume Yet Another Server Daemon is secure. Then you just have to keep an eye out for SSH exploits (which you should be doing anyway since SSH bugs are more serious than bugs in TEH OPEN-SORCE DATABASS anyway!).

Re:open source databases??

[bruthasj]

CVS and its pudgy cousin Subversion are not databases.

CVS uses RCS as a back-end store. Subversion uses Berkley DB as a back-end store.

Re:open source databases??

[damiam]

Evolution also uses Berkley DB as a back-end store. Slashcode uses MySQL. That doesn't make them databases. They are an email client and a CMS, respectively. CVs and SVN are both version control systems, not databases, whether or not the use databases on the back end.

Re:open source databases??

[shird]

"CVS repository."

repository
1. See data dictionary.
2. The core of a CASE tool, typically a DBMS where all development documents are stored.

Shit, seems like calling it a '..source database' isn't too far off the mark for a news outlet. Better than 'the fabric of the internet' or something gay.

give these guys a break.

Re:open source databases??

[shird]

that should have read:

repository
1. /database/ See data dictionary.
2. /programming/ The core of a CASE tool, typically a DBMS where all development documents are stored.

Re:open source databases??

[Minna+Kirai]

CVS uses RCS as a back-end store.

Hasn't been true for a long time. Now CVS reads/writes directly, with no RCS process active. But even if that were still the case, saying "CVS is a database" is like "airplanes are wings".

Re:open source databases??

[tumbaumba]

They may use the *concept* of a database *internally*, but then again so do iTunes and Emacs and probably a bunch of other programs.

I concur about emacs. Not only it is a database but it can also do this and that. Now if only I could make my emacs to brew coffee.

Re:open source databases??

[florist]

Now if only I could make my emacs to brew coffee.

you can. there is a coffee.el package
http://list-archive.xemacs.org/xemacs-beta/199909/ msg00368.html

Re:open source databases??

[Dahan]

You can't provide anonymous cvs ... access through ssh.

Demonstrably false.

Re:open source databases??

[bruthasj]

Hasn't been true for a long time. Now CVS reads/writes directly, with no RCS process active.

Sorry, meant to say RCS format plain text files.

But even if that were still the case, saying "CVS is a database" is like "airplanes are wings".

Database

I do not agree with you. Just like I wouldn't agree if you said filesystems weren't databases. For crying out load, my blog is a database!

Good news for Samba...

[NEOtaku17]

"The Samba Project, which maintains file server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted."

- By Robert Lemos Staff Writer, CNET News.com

uh oh!

[L0stm4n]

hopefully no evil hax0rs use this to steal the source code of linux! ( I know it in't in a cvs but it has a cvs gateway )

Re:uh oh!

[GregAndreou]

Steal the source code? They could just download it from kernel.org...

Re:uh oh!

[damgx]

You know what happens if you steal from Santa right?

You go on his "bad" list. And as Linus says: Don't mess with penguins.

Another security flaw found

[Canberra+Bob]

Just goes to show how open source leads to insecure software and the commercial software model is better.

Oh wait..thats not right...

Take 2

this just goes to show that with so many eyes viewing the software that bugs will be found and corrected, and we do not know how many undetected bugs are in commercial software.

Re:Another security flaw found

[thebatlab]

"and we do not know how many undetected bugs are in commercial software."

Nor do we know how many undetected bugs there are in open-source software. I guess that's why they are...undetected ;)

pserver only

[cperciva]

Note that this problem only exists in pserver code. Anyone using pserver on critical systems needs to reassess their security anyway.

Re:pserver only

[arkanes]

You mean like sourceforge? Anonymous CVS access is a pretty import thing to alot of projects.

Re:pserver only

[cperciva]

You mean like sourceforge?

I'm quite happy with saying that SourceForge should reassess their security.

Anonymous CVS access is a pretty import thing to alot of projects.

There are much better options; CVSup and rsyncing tarballs are probably the best.

Re:pserver only

[kryptkpr]

I'm quite happy with saying that SourceForge should reassess their security.

Do you actually run projects at SourceForge? You have to use a ssh tunnel to be able to write to any project repository.

CVS and Subversion?

I knew that Subversion was complete in its support for CVS users, but this is going too far.

Laugh, it's a joke.

Re:If CVS was implemented in Java...

[jonastullus]

how about: java is not Free

while all these buffer overflows, etc are more than a nuissance in C/C++, many of the bugs stem from a misunderstanding on the part of the programmer (i.e. use of deprecated functions, ...). of course, this does not make it any better and in my opinion manual memory allocation is the GREATEST possible waste of a programmer's time (sensible exceptions excluded ;-).

languages featuring garbage collection, length encoded strings, array bound checks, etc are hopefully the future, but at the moment (not least due to the lack of a free java compiler/interpreter/RE) many libraries and toolkits are still written for C/C++ and thus are also mostly used from these two languages.

Re:Is it the same flaw?

[breser]

No whoever submitted the article to Slashdot was confused. If you read the news.com article carefully it is clear that they're separate issues.

But just to make things clearer here are the links to the advisories:
Subversion
CVS

I also put up a more clear description of the Subversion problem up on subversion site.

Re:If CVS was implemented in Java...

[jonastullus]

java is not slow, it has a high overhead on startup!

it is just that the loading of the runtime engine, garbage collector, on-the-fly-compiling by the interpreter, etc produce a high overhead at startup. thus small, short programs seem to run slow, whereas in big applications the speed penalty is marginal!

Re:If CVS was implemented in Java...

[fishdan]

Your post actually raises some interesting issues, but you will almost certainly be modded as flamebait because of your silly petty comments about older languages. There really are no bad languages, only bad developers. Except for Scheme -- it sucks (kidding!!)

There is some merit to talking about some mission critical programs being moved to java, but of course you have to recognize that VM's are vulnerable to all sorts of hacks.

I do think that java probably is preferable as a language for avoiding buffer overflow vulnerabilities, especially for less experienced developers. It will be interesting to see how James will stack up with the notoriously holy (pun intended--damn I crack myself up) Sendmail. There ARE other examples of java in critical situations, I'm sure -- but none spring to mind.

I do constantly use java to write the shell stuff that I know someone is going to bang on -- just because I haven't seen a root exploit from a java process yet.

FC2

According to the alerts below, Fedora Core 2 has these vulnerabilities, and furthermore, they can lead to arbitrary code execution:

FC2 CVS alert

FC2 Subversion alert

I can understand that a buffer overflow can cause a DoS (e.g. crashing a daemon), but how can it lead to arbitrary code execution with FC2's kernel-level stack protection? Is this just a cut and paste typo from alerts of older distros?

Re:FC2

The CVS vulnerability, at least, is a heap-level vulnerability. While you should be able to protect the heap the same way you can protect the stack, I don't know if FC2 actually does so, or enables it by default (or maybe they put it in the advisory for those people disable it). Also, I heard this whole non-execute thing depends on the ELF file (so that things like JIT compilers can still work), and it doesn't work perfectly without a no execute bit. Heaps tend to be harder to exploit, because they don't grow down like stacks, but they can still be exploited with some cleverness (like this CVS exploit).

Anyway, I don't really know anything, just shooting the breeze here, but yeah, stack protection isn't a pancaea, although it really should help a lot. I'm with you, wondering about whether this is really going to allow arbitrary code execution.

I also can't believe Subversion had a flaw in the date parsing code. Anything that does parsing should always be checked and double checked for vulnerabilities, especially something as complicated as date formats (the Subversion date stuff is much more limited than CVS's, so you think they'd have gotten it right the first time). They certainly had enough time to work on it.

Re:FC2

[IamTheRealMike]

When exec-shield randomization is enabled, the DSO load addresses are scrambled. What that means is that while you can run arbitrary code, it's not really possible to make any library calls. Have you ever written non-trivial code without the presence of libc? I have, it's not much fun. You have to do everything using direct syscalls into the kernel, which is tricky and limited.

So in short while exec-shield in this case won't prevent the overflow (as it can with ASCII stack based overflows), it does make it harder to do things when you've infiltrated the system.

Re:Wait!

[endx7]

Of course not. This is not the first vulnerability either.

Just because you found a bunch of problems a while ago doesn't mean you shouldn't look at the code again later.

Re:Unsurprising

[boots@work]

Dr Hos'e may have indulged in the trollish arts in the past, but he does have a point:

how many otherwise great programmers and source control systems gurus cannot post bugfixes to CVS and Subversion codebases thanks to Bitkeeper's EULA

I've received patches from kernel developers for my open source programs. The BK licence makes them give up the right to file CVS or Subversion bug reports, in order to use BK for free.

I don't think CVS or Subversion would suit Linus's style, but maybe Arch or Darcs will in the future.

Re:Heap overflow?

[boots@work]

It's where a variable on the heap gets overwritten:

char *a = malloc(4), *b = malloc(4);
strcpy(a, "hello to all my fans in domestic surveillance");
/* kablooey */

The strcpy writes past the end of the allocated buffer. Several things might happen: first, and the best possible outcome is that it writes to an unmapped page and you die immediately with segv. Or it writes over a malloc control structure and a later call to malloc() or free() causes an indirect crash. (Sometimes called a "heap scribble".) Or it might write over some other heap variable, like b in this example.

Which one happens depends on the libc and the allocation pattern, but for any app on any particular system it may be predictable.

The one that is easiest to exploit is writing over another variable, like b. This gives the attack a way to write into a variable they weren't meant to access, which leads in short order to the computer being stretched wide open.

What Do I Do?

[ewhac]

I run a CVS server on behalf of a client on a FreeBSD box. It is running in pserver mode, and is launched by cvsd , which is a chroot() jail for CVS.

It is not clear from the sensationalistic news story what an administrator should do, or whether my particular configuration is vulnerable. Could a more knowledgeable person please summarize the issues involved, or point to the original vulnerability report so I can evaluate my risk?

Thanks,
Schwab

Re:What Do I Do?

[endx7]

Just update CVS from FreeBSD whenever they apply the fix. If FreeBSD haven't made a new release yet, then you might want to turn off public access until it's fixed.

The issue has been announced via the normal announcement channels for FreeBSD and an advisory which explains what to is available. I actually got the FreeBSD advisory before I heard about it on slashdot.

An argument for distributed version control

[boots@work]

These vulnerabilities are a consequence of an architectural security flaw in both CVS and Subversion: they require an active server that talks a complex protocol to an unauthenticated client.

Whenever you allow an untrusted client to control code running on your server, there is a risk of a compromise.

The distributed version control systems Darcs and Arch show a better way. Read-only access requires only some read-only files published over HTTP. Since most projects already have a web site, this means there is no increase in the network services that need to be offered.

Once those files are downloaded, the anonymous user can get updates, make their own patches, branch -- all the facilities allowed by anonsvn/anoncvs and more.

Re:An argument for distributed version control

Almost all projects that publish anoncvs also publish web pages, and putting additional files on the web site is much less risky than running a whole new server.

subversion uses apache, which means you don't have to have a whole new server. You have a point about being able to write simple read-only HTTP servers, but in order to run a version control system you're going to have to have writing somewhere, and distribution of the server isn't going to help.

As i pointed out before, it only makes more of the system untrustworthy. With the client/server model you can't trust input from the client, but with distribution you can't trust the client and you can't trust anything coming from the other servers.

The version control system doesn't trust the web server, or receive any input from the network.

Thankyou for trolling!

so you're going to have a non-networked distributed version control system! :o) Look who's trolling now.

the same Anon Coward

Re:An argument for distributed version control

[boots@work]

subversion uses apache, which means you don't have to have a whole new server.

Subversion uses Apache2, which *is* a whole new server from what the majority of people are running these days. Subversion deployed under Apache requires you to run a new DAV module under Apache -- and there has been quite a number of exploitable vulnerabilities in the neon DAV code over the last few years. Publishing a public Subversion repo requires you to run 10,000s of lines of new network-accessible code.

Also, Subversion requires that Apache have filesystem write access to the db files in the repo. So all in all it is a pretty unattractive proposition.

in order to run a version control system you're going to have to have writing somewhere

Writing in Darcs or Arch only occurs over SSH by the one person who owns the archive. There is no increased exposure. Anyone who is reading the anonymous archives can mail me diffs, as before. Now, perhaps they could try to break into my mailserver but they could try that before too.

I don't think your concerns about "more of the system being untrustworthy" reflect an understanding of the way these systems actually work. But if you want to give a proper argument please do.

Let me draw you a picture.

1: Project before using version control: one read-only web server, accessible over ssh, developer has an email account.

2A: After adopting darcs: no increase in exposure. Developer publishes stuff by pushing it onto the web server over SSH, just as they do for the web site. Developer gets patches by email.

2B: Contrariwise, after using CVS or Subversion, in the safest possible way to use them: A new service, of 10000s of lines of C code runs on the public server, accepting connections from arbitrary clients. The service needs to be able to write to files on the server. It is likely that the canonical repository resides on the same machine, so you put your crown jewels on the very machine which just opened up a new potential vulnerability.

To me, scenario 2B looks worse than 2A.

good thing only major users are safe...

[Frennzy]

Quote:

Apparently, major users of these products (Linux and BSD distros, Samba, etc.)

Well, it's a damn good thing the *major users* are already safe. I can rest easy tonight knowing that just because I am a "Linux and BSD distro, Samba, etc.) user that I am safe.

Sorry, my sarcasm bit must be stuck.

Re:distro updates?

[MobyTurbo]

Slackware has released a security update.

Neither of the bugs were bounds-checking related..

[Ayanami+Rei]

Source Compatibility vs. Binary Compatibility

[Lennie]

Not sure, but I think one issue is, in the Win32 world things need to be binary comp. where as in the OSS world, source comp. is enough.

If you have a vuln. in a Debian package, you do

apt-get update && apt-get -u install package

You'll see that (especially if it's a library) all kinds of other packages will automatically be upgraded

The same will not happen in the Win32-world.

Re:Heap overflow?

[kasperd]

I'm familiar with stack overflows.

Maybe you are thinking about stack based buffer overflows. Stack based buffer overflows are often easy to exploit, and I think more than 50% of the worms on the internet use such exploits. It just means that you can overflow a buffer, which is allocated on the stack. When such an overflow happens, the return address is usually just a few bytes away, so you can change the return address to point into the buffer you just filled with code.

A stack overflow OTOH rarely happens, unless you trigger an infinite recursion in the code. Normally a stack overflow will just result in a DoS attack, because the OS will kill any process that overflows its stack. There should always be an unmapped page between the stack and any other mapping, such that overflows can be catched. (Could you overflow a kernel stack it would be an entirely different matter)

A heap overflow just means you overflow a buffer allocated from the heap. Any return address is far away, so they are not as trivial to exploit. But you can corrupt memory management data structures, which you might be able to use to have the memory management system return allocations overlapping with other important areas, which you might then be able to get overwritten. It can get very complicated. Take a look on Vudo - An object superstitiously believed to embody magical powers (Smashing The Heap For Fun And Profit)

FALSE! You little history revisionist you.

You just made a double-fault.

... was originally a Perl program ...

Patently False

HISTORY of CVS:

[...]

CVS algorithms actually started in Universities several decades ago and CVS implementation started out as a bunch of shell scripts written by Dick Grune, who posted it to the newsgroup comp.sources.unix in the volume 6 release of December, 1986. While no actual code from these shell scripts is present in the current version of CVS much of the CVS conflict resolution algorithms come from them. In April, 1989, Brian Berliner designed and coded CVS. Jeff Polk later helped Brian with the design of the CVS module and vendor branch support.

[...]

source: CVS-RCS-HOWTO

Ironically, CVS was originally a Perl program until a C version was needed to make it real software.

It's NOT! It's something else. irony misuse